An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS12OGdxLTVncnEtOTcyOM4AAu1-

mozjpeg DecompressScanlines::read_scanlines is Unsound

This issue and vector is similar to RUSTSEC-2020-0029 of rgb crate which mozjpeg depends on.

Affected versions of mozjpeg crate allow creating instances of any type T from bytes, and do not correctly constrain T to the types for which it is safe to do so.

Examples of safety violation possible for a type T:

The issue was fixed in 0.8.19 by using safer types and involving rgb dependency bump.

Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: 11 months ago

Identifiers: GHSA-v8gq-5grq-9728

Affected Packages

Versions: < 0.8.19
Fixed in: 0.8.19